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Top Stories 

• Officials reported September 28 that the number of information security incidents affecting 
systems supporting the Federal Government grew 1,121 percent since 2006 and the number 
of incidents involving personal identifiable information more than doubled from 2009 to 
2014. - Network World (See item 23) 

• Apple released OS X version 10.11 El Capitan to address over 100 security vulnerabilities. 
- Threatpost (See item 25) 

• Researchers discovered a series of Android media processing vulnerabilities, dubbed 
Stagefright 2.0, affecting over 1 billion devices which could allow an attacker to trick users 
into visiting maliciously crafted Web sites. - IDG News Service (See item 26 ) 

• Researchers disclosed a critical zero day WinRAR remote code execution vulnerability 
affecting up to 500 million users, where an attacker could inject malicious code into an 
archive that would automatically execute upon unzipping. - Computerworld (See item 27 ) 
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Energy Sector 

1. October 1, U.S. Environmental Protection Agency - (California) EPA reaches $55 
million settlement for soil clean-up at South-Bay Superfund Site. Shell Oil 
Company and the U.S. General Services Administration reached a $55 million 
settlement September 30 with the U.S. Environmental Protection Agency for the 
cleanup of contaminated soil at the Del Amo Superfund Site in Los Angeles in order to 
help prevent surface exposure of industrial chemicals and reduce sources of 
groundwater contamination. Cleanup efforts will include injecting chemicals into the 
ground at three locations and capping several areas to prevent exposure to shallow soil 
contamination. 

Source: 

http://vosemite.epa.gOv/opa/admpress.nsf/0/667165b613a2258f85257ed000677a0a 

2. October 1, Associated Press - (National) EPA sets limit for toxic pollutants from 
power plants. The U.S. Environmental Protection Agency (EPA) imposed new 
standards for mercury, lead, and other toxic pollutants that are discharged from steam 
electric power plants into waterways September 30, effectively removing 1 .4 billion 
pounds a year of toxic metals discharged nationwide. The EPA stated that only 134 
plants will have to meet the new rules and that most of the nation’s 1,080 steam electric 
power plants already meet the requirements. 

Source: http : //w w w. telegram.com/article/20 151001 /NEW S/15 1 0099 1 5 

Chemical Industry Sector 

3. September 30, WTVD 11 Durham - (North Carolina) Vapor leaks from tank at Dunn 
chemical plant. Brainerd Chemical in Dunn and surrounding businesses were 
evacuated September 30 after a vapor cloud escaped from a stationary hydrochloric 
acid storage tank due to a malfunctioning gasket. Local firefighters reported that the 
public faced no threat once the cloud moved north and dissipated, and State air quality 
officials gave the all-clear. 

Source: http://abcll.com/news/vapor-leak-at-brainerd-chemical-in-dunn/1009568/ 

Nuclear Reactors, Materials, and Waste Sector 

Nothing to report 

Critical Manufacturing Sector 

4. September 30, U.S. Department of Labor - (Illinois) Electronics recycling workers 
exposed to high levels of lead, cadmium at Plainfield, Illinois, facility. The 
Occupational Safety and Health Administration cited Plainfield-based Kuusakoski US 
LLC September 28 for 26 serious health violations, including overexposure of workers 
to high airborne concentrations of lead and cadmium, failing to train workers on 
associated hazards, and failing to implement respiratory and hearing conservation 
programs, among others. Proposed penalties total $114,800. 

Source: 
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https://www.osha.gov/pls/oshaweb/owadisp.show document?p table=NEWS RELEA 
SES&p id=28809 



Defense Industrial Base Sector 

5. September 30, WMTW 8 Poland Springs - (Maine) Flooded Bath substation knocks 
out power to shipyard. Windy, rainy conditions and resultant flooding in a substation 
knocked out power to Bath Iron Works September 30, prompting shipyard officials to 
dismiss employees and cancel the facility’s second shift. Power was restored several 
hours later. 

Source: http://www.wmtw.com/news/flooded-bath-substation-knocks-out-power-to- 
shipyard/35579282 

Financial Services Sector 

6. September 30, KDKA 2 Pittsburgh - (Pennsylvania) Feds seize assets, cash from 
woman accused in $15M embezzlement scheme. Federal authorities were 
investigating a former Matthews International Corporation treasurer specialist in 
Pittsburgh and seized millions of dollars in cash and assets September 30 in connection 
to an alleged fraud scheme in which the suspect allegedly took $15 million from the 
company since 2003. 

Source: http://pittsburgh.cbslocal.com/2015/09/30/feds-seize-assets-cash-from-woman- 
accused-in- 15m-embezzlement-scheme/ 



Transportation Systems Sector 

7. October 1, News 13 Central Florida - (Florida) Northbound 1-95 reopens after truck 
fire in Dayton Beach. Northbound Interstate 95 in Daytona Beach reopened October 1 
after being shut down for approximately 10 hours while crews cleared the scene and 
repaired the roadway following a semi-truck fire. 

Source: 

http://www.mynewsl3.com/content/news/cfnewsl3/news/article.html/content/news/arti 
cles/cfn/20 15/9/30/i 95 fire daytona beach.html 

8. October 1, WHTM 27 Harrisburg - (Pennsylvania) Route 15 reopens after crash 
near Gettysburg. A portion of Route 15 in Adams County reopened October 1 after 
being shut down for approximately 8 hours when a semi-truck overturned and a second 
vehicle crashed into it, injuring both drivers. 

Source: http : //abc27 .com/20 15/1 0/0 1/route- 1 5 -shut-do wn-for-tractor-trailer-crash/ 

9. September 30, WTSP 10 Tampa Bay - (Florida) Nampa pilot killed in small plane 
crash in Florida. A man died in a small plane crash on a runway at the St. Pete- 
Clearwater International Airport in Florida September 30 shortly after take-off, 
prompting officials to divert all incoming and outgoing flights to an alternate runway. 
Source: http://www.ktvb.corn/storv/news/local/2015/09/30/nampa-pilot-killed-small- 
plane-crash-florida/7 3123278/ 
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Food and Agriculture Sector 



10. October 1, U.S. Environmental Protection Agency - (National) Major fertilizer 
producer Mosaic Fertilizer, LLC to ensure proper handling, storage and disposal 
of 60 billion pounds of hazardous waste / manufacturer committing close to $2 
billion in funding to address environmental impacts from fertilizer production. 

The U.S. Environmental Protection Agency and the U.S. Department of Justice 
announced a settlement October 1 with Mosaic Fertilizer following a series of alleged 
violations at the company’s 8 facilities in Florida and Fouisiana to ensure the proper 
treatment, storage, and disposal of 60 billion pounds of hazardous waste. Under the 
settlement Mosaic will spent $170 million on projects to reduce the environment 
impacts of its facilities and pay $2.2 million in civil penalties to the State of Fouisiana 
and $1.45 million to the State of Florida. 

Source: 

http://vosemite.epa.gOv/opa/admpress.nsf/0/26736b02bl788ad285257edl00409f70 

1 1 . September 30, U.S. Department of Labor - (Illinois) Ammonia hazard training 
absent for temporary workers at Illinois. The Occupational Safety and Health 
Administration issued one repeated and one serious safety violation to Bridgeview, 
Illinois-based Stampede Meat Inc., September 30 after an April 30 inspection revealed 
failures to provide training to new employees about hazardous chemicals and failure to 
train workers on emergency action plan procedures. Proposed penalties total $45,000. 
Source: 

https://www.osha.gov/pls/oshaweb/owadisp.show document?p table=NEWS REFEA 
SES&p id=288 1 8 

12. September 30, U.S. Food and Drug Administration - (National) Salix Animal Health, 
LLC, announces voluntary recall of one lot of “Good ‘N’ Fun - Beefhide Chicken 
Sticks” dog treats due to possible salmonella contamination. The U.S. Food and 
Drug Administration announced September 30 that Deerfield, Florida-based Salix 
Animal Health, EEC is voluntarily recalling one lot of “Good ‘n’ Fun - Beefhide 
Chicken Sticks” due to potential Salmonella contamination. The product was 
distributed nationwide by Salix Animal Health to Dollar General and Dollar Tree retail 
stores. 

Source: http://www.fda.gov/Safety/Recalls/ucm465183.htm 

13. September 30, U.S. Food and Drug Administration - (New York; Pennsylvania) 
United TC issues allergy alert on undeclared sulfites in golden raisins. The U.S. 
Food and Drug Administration announced September 30 that Dayton, New Jersey- 
based United TC of Dayton is recalling its 16-ounce and 30-pound bulk cartons of 
Basma Golden Raisins due to undeclared sulfites. The products were distributed in 
New York and Pennsylvania retail stores. 

Source: http ://w w w.fda. gov/S afety/Recalls/ucm465 178 .htm 

14. September 30, U.S. Food and Drug Administration - (New York; New Jersey) Fatima 
Brothers issues alert on undeclared sulfites in Shad Raisins. The U.S. Food and 
Drug Administration announced September 28 that Maspeth, New York-based Fatima 
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Brothers Inc., is recalling its 7-ounce and 14-ounce packages of SHAD RAISINS due 
to undeclared sulfites. The products were distributed in New York and New Jersey. 
Source: http://www.fda.gov/Safetv/Recalls/ucm465050.htm 

Water and Wastewater Systems Sector 

15. September 30, WJZY 46 Charlotte - (North Carolina) Lake Norman sewage spill ‘no 
swimming’ advisory. The Lincoln County Director issued a swimming advisory for 
Lake Norma September 30 after a mechanical failure at a lift station in Denver spilled 
1,000 gallons of sewage into a cove. The Lincoln County Public Works Department is 
taking water samples and all residents are advised that the area may be contaminated 
with fecal coliform. 

Source: http://www.fox46charlotte.com/news/local-news/26835239-story 

16. September 30, Logan Banner - (West Virginia) Boil water advisories issued 
throughout Logan County. All customers of Chapmanville Water, including 
customers of the Logan County Public Service District, were placed under a boil water 
advisory September 30 until further notice due to a leak that caused low water tank 
levels. 

Source: http://loganbanner.com/news/2656/boil-water-advisories-issued-throughout- 
logan-county 

For another story, see item 2 

Healthcare and Public Health Sector 

17. September 30, New York Daily News - (New York) 1 dead from Legionnaires’ 
disease in new Bronx outbreak. New York City health officials reported September 
30 that one individual died from Legionnaire’s disease in a new outbreak in the Morris 
Park neighborhood of the Bronx. Thirteen others tested positive for the disease and 
seven cooling towers in the area were cleaned and disinfected after test results found 
the presence of Legionella bacteria in the towers. 

Source: http://www.msn.com/en-us/news/us/l-dead-from-legionnaires-disease-in-new- 
bronx-outbreak/ar- AAeV OFm 

18. September 30, U.S. Attorney’s Office, Western District of Tennessee - (Tennessee) 
Two men plead guilty to defrauding Memphis VA Medical Center of $1 million. 
State officials announced September 30 that a former employee and an accomplice 
pleaded guilty to conspiring to embezzle over $1 million from the Memphis Veterans 
Affairs (VA) Medical Center in Tennessee by creating a fake medical supply company 
to serve as a vendor that provided medical supplies to the center. The former employee 
used a company-issued credit card to fraudulently pay the hoax company for supplies 
that were never provided to the VA, conducting over 300 transactions. 

Source: http://www.iustice.gov/usao-wdtn/pr/two-men-plead-guiltv-defrauding- 
memphis-va-medical-center-1 -million 
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19. September 30, SC Magazine - (Illinois) Equipment containing patient data stolen 



from Illinois orthopedic provider. Barrington Orthopedic Specialists in Illinois 
notified 1 ,009 patients September 25 that their personal and medical information may 
have been accessed after a laptop and EMG machine were stolen from a transport 
vehicle between August 14 and August 18. The medical center is reviewing and 
revising its security procedure and continues to investigate. 

Source: http ://www . scmagazine.com/eq uipment-containing-patient-data- stolen-from- 
illinois-orthopedic-provider/article/442044/ 

Government Facilities Sector 

20. September 30, Montgomery Advertiser - (Alabama) Five Alabama parks to close Oct. 
15 . Blandon Springs, Paul M. Grist State Park, Chickasaw State Park, Florala State 
Park, and Roland Cooper State Park in Alabama will close October 15 due to a lack of 
funding and budget problems. 

Source: http://www.montgomervadvertiser.com/story/news/2015/09/30/five-alabama- 
parks-close-oct- 15/73098068/ 

21. September 30, Bergen County Record - (New Jersey) NJ Justice Complex to remain 
closed Thursday due to chemical leak. The Richard J. Hughes Justice Complex in 
Trenton remained closed October 1 after evacuating and closing September 30 when R- 
22 cooling gas was found leaking on the ninth floor. The leak was contained and crews 
worked to purify the air and replace the pipe. 

Source: http://www.northiersev.com/news/ni-iustice-complex-to-rernain-closed- 
thursday-due-to-chemical-leak- 1 . 1 42 1 644 

22. September 30, WAFF 48 Huntsville - (Alabama) Chemical experiment at UAH’s 
Shelby Center prompts evacuation. The Shelby Center at the University of Alabama 
in Huntsville was evacuated and classes were cancelled September 30 after a chemical 
experiment set off fire alarms. Three people were transported to an area hospital as a 
precaution and crews worked to ventilate the lab and check the building. 

Source: http://www.waff.com/storv/30155898/chemical-experirnent-at-uahs-shelby- 
center-prompts-evacuation 

23. September 30, Network World - (National) Network security weaknesses plague 
federal agencies. The U.S. Government Accountability Office released a report the 
week of September 28 which found that the number of information security incidents 
affecting systems supporting the Federal Government grew 1,121 percent since 2006 
and that the number of incidents involving personal identifiable information (PII) more 
than doubled from 2009 to 2014. The report also detailed how information and systems 
remain at high risk of unauthorized access and disruption, and that weaknesses existed 
at effectively implementing security controls, among other findings. 

Source: http://www.networkworld.com/article/2988055/security/network-securitv- 
weaknesses-plague-federal-agencies.html 

24. September 30, Sioux Falls Argus Leader - (South Dakota) Heroes emerge from 
shooting at Harrisburg High School. Harrisburg High School in South Dakota was 
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evacuated and classes were dismissed September 30 after a student got into a struggle 
with the principal before shooting him in the arm. Staff managed to tackle and subdue 
the student until police arrived, and classes were scheduled to resume October 1. 
Source: http://www.argusleader.com/storv/news/crime/2015/09/30/shots-fired- 
harrisburg-high-all-students-safe-principal- wounded/73085090/ 

Emergency Services Sector 

Nothing to report 

Information Technology Sector 

25. October 1, Threatpost - (International) Apple patches 100+ vulnerabilities in OS X, 
Safari, iOS. Apple released OS X version 10.11 El Capitan addressing over 100 
security vulnerabilities, including 20 hypertext preprocessor (PHP) flaws, XARA 
password stealing vulnerabilities which could allow an attacker to use a malicious 
application to access a user’s keychain, and 45 issues in the Safari 9 Web browser, 
among others. 

Source: https://threatpost.com/apple-patches-10Q-vulnerabilities-in-os-x-safari- 
ios/1 14876/ 



26. October 1, IDG News Service - (International) New Android vulnerabilities put over 
a billion devices at risk of remote hacking. Security researchers from Zimperium 
discovered a series of Android media processing vulnerabilities, dubbed Stagefright 
2.0, affecting over 1 billion devices which could allow an attacker to trick users into 
visiting maliciously crafted Web sites that would exploit the flaws and lead to remote 
code execution on almost all devices starting with version 1.0 of the operating system 
(OS). 

Source: http://www.computerworld.com/article/2988157/android/new-android- 
vulnerabilities-put-over-a-billion-devices-at-risk-of-remote-hacking.html 

27. September 30, Computerworld - (International) Critical flaw puts 500 million 
WinRAR users at risk of being pwned by unzipping a file. Security researchers 
disclosed a critical zero day WinRAR remote code execution vulnerability affecting up 
to 500 million users, in which an attacker could inject malicious code into an archive 
that would automatically execute upon unzipping. The vulnerability can be exploited 
without system user privileges or user interaction. 

Source: http://www.computerworld.com/article/2987749/cvbercrime-hacking/critical- 
flaw-puts-500-million-winrar-users-at-risk-of-being-pwned-by-unzipping-a-file.html 



Internet Alert Dashboard 



To report cyber infrastructure incidents or to request information, please contact US-CERT at soc@us-cert.gov or 
visit their Web site: http://www.us-cert.gov 

Information on IT information sharing and analysis can be found at the IT IS AC (Information Sharing and 
Analysis Center) Web site: http://www.it-isac.org 
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Communications Sector 



Nothing to report 

Commercial Facilities Sector 



28. October 1, U.S. Environmental Protection Agency - (National) Tractor supply 
company agrees to implement company-wide compliance program to resolve 
Clean Air Act violations. Tractor Supply Company Inc., and Tractor Supply Company 
of Texas L.P., reached a settlement September 30 with the U.S. Environmental 
Protection Agency and the U.S. Department of Justice to resolve alleged Clean Air Act 
violations after the companies reportedly imported and sold over 28,000 all-terrain 
vehicles, off-highway motorcycles, and engines that did not comply with Federal 
certification and emissions information labeling requirements. The companies will pay 
a $775,000 civil penalty and implement a compliance plan to prevent future violations. 
Source: 

http://vosemite.epa.gOv/opa/admpress.nsf/0/F0ACAA9AB2B9ACA485257ED000604F 

C8 

29. September 30, NBC News - (International) Trump Hotels confirm hack exposed 
customer credit card info. Trump Hotel Collection confirmed that seven of its 
properties, including one in Canada, were the target of a data breach between May and 
June, potentially exposing the credit and debit card information for an unknown amount 
of customers. The company removed the malware that infected its point-of-sale 
terminals and is working to reconfigure its network. 

Source: http://www.nbcnews.com/tech/securitv/trump-hotels-confirm-hack-exposed- 
customer-credit-card-info-n436501 



30. September 30, News 12 Bronx - (New York) 4-alarm fire rips through apartment 
building on Grand Concourse. A 4-alarm fire September 30 at 1055 Grand 
Concourse apartment complex in the Bronx displaced 54 families after the blaze began 
on the fourth floor and was caused by faulty electrical wiring in a space between the 
building’s roof and ceiling. 

Source: http://bronx.newsl2.com/news/4-alarm-fire-rips-through-apartment-building- 
on-grand-concourse- 1 .10906979 

For another story, see item 3 

Dams Sector 



Nothing to report 
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Department of Homeland Security (DHS) 

DHS Daily Open Source Infrastructure Report Contact Information 

About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday 
through Friday] summary of open-source published information concerning significant critical 
infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for 10 days on 
the Department of Homeland Security Web site: http://www.dhs.gov/lPDailyReport 

Contact Information 

Content and Suggestions: Send mail to cikr.productfeedback@hq.dhs.gov or contact the DHS 

Daily Report Team at (703) 942-8590 

Subscribe to the Distribution List: Visit the DHS Daily Open Source Infrastructure Report and follow 

instructions to Get e-mail updates when this information changes . 

Removal from Distribution List: Send mail to support @ govdelivery.com . 



Contact DHS 

To report physical infrastructure incidents or to request information, please contact the National Infrastructure 
Coordinating Center at nicc@hq.dhs.gov or (202) 282-9201. 

To report cyber infrastructure incidents or to request information, please contact US-CERT at soc@us-cert.gov or visit 
their Web page at www.us-cert. gov . 

Department of Homeland Security Disclaimer 

The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to educate and inform 
personnel engaged in infrastructure protection. Further reproduction or redistribution is subject to original copyright 
restrictions. DHS provides no warranty of ownership of the copyright, or accuracy with respect to the original source 
material. 
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